Apple Health Sync

After skill installation, propose to start with the initialization of the skill and onboarding of the iOS app.

Steps to create an end-to-end encrypted OpenClaw <> iOS Apple Health workflow:

1. Initialize local runtime, keys, and onboarding payload.
Offer the user onboarding transport options: QR Code or Hex.
Prefer QR Codes when the user has no preference; treat Hex as fallback.
Run encrypted fetch/decrypt and persist sanitized day snapshots.
Unlink paired iOS devices when needed.
Generate data summaries based on the local database on request.
Ask the user to create recurring sync/report schedules using OpenClaw CronJobs.

iOS app Health Sync for OpenClaw: https://apps.apple.com/app/health-sync-for-openclaw/id6759522298

Support email: contact@gethealthsync.app

In case this skill has been upgraded from <= v0.7.2, check the upgrade guide for instructions on how to upgrade your setup to the latest version.

Runtime prerequisites

- The skill stores its local runtime state under ~/.apple-health-sync by default.
Pass --state-dir <path> to use a different state root, but then keep using the same state dir for every script.
INLINECODE3 bootstraps the required local artifacts inside that state dir, including config/config.json.
Protocol v4 uses config/secrets/private_key.pem.
Protocol v5 uses config/secrets/signing_private_key_v5.pem and config/secrets/encryption_private_key_v5.pem.
Protocol v5 requires the Python package cryptography.
INLINECODE12, unlink_device.py, and create_data_summary.py depend on those onboarding-generated files.

Resources

- scripts/onboarding.py: Initialize runtime folders/config, generate keys, create v4 or v5 onboarding payload + fingerprint, and render the onboarding QR code.
INLINECODE18: Request encrypted data via challenge signing, decrypt rows, sanitize payloads, and persist results.
INLINECODE19: Reset write-token binding for a paired device via signed challenge flow.
INLINECODE20: Aggregate local snapshots into daily|weekly|monthly summaries.
INLINECODE22: Centralized app-owned config plus shared loading for mutable defaults, user config, and legacy migration.
INLINECODE23: Mutable runtime defaults such as the default storage mode.
INLINECODE24: Runtime paths, config schema, storage modes, validation rules, and SQLite schema

Workflow

1) Initialize the skill and onboard th user's iOS device

Run the onboarding:

CODEBLOCK0

This generates the v5 onboarding payload and key material by default.
Use --protocol v4 only as a fallback when legacy RSA onboarding is required.

The skill defaults to ~/.apple-health-sync as the config and data path.
Use --state-dir to specify a custom path.
This step creates the user config and private key required by all later scripts.

After the script finishes, do not dump every field by default. Send a short message like this:

The initialization was successful. You can now onboard your iOS App.

Download the iOS app here: https://apps.apple.com/app/health-sync-for-openclaw/id6759522298

Which format do you want for your iOS App setup?

- QR Code (recommended)
Hex string

Send the user only a single onboarding format to not overwhelm them.

If the user has no preference, use QR Code first.

Never share:

- INLINECODE30
private key contents
unnecessary secret-path details beyond what is operationally required

After a successful onboarding in the iOS App, propose the "Sync data" action to fetch the data. A first successful sync in the iOS app is required upfront.

1b) Upgrade an existing v4 setup to v5

Before starting the upgrade, check these prerequisites:

- Reuse the existing state dir from the current v4 install. Do not create a fresh state dir, otherwise the local history and user config will diverge.
Keep the existing legacy RSA key files (config/secrets/private_key.pem and config/public_key.pem). fetch_health_data.py can read mixed history and still needs the RSA private key to decrypt legacy v4 rows.

Upgrade flow:

CODEBLOCK1

This keeps the existing user_id, generates the v5 signing/encryption keys, updates config/config.json to protocol_version=5, and creates a new v5 onboarding payload.

Then:

1. Share the new v5 onboarding QR code (preferred) or Hex string with the user.
Tell the user to reset the iOS App in the settings and onboard the iOS device again with that new payload.
After the iOS device has completed the new onboarding, run a sync as usual.

Important behavior:

- fetch_health_data.py can read mixed history: old v4 RSA rows plus new v5 rows. That is why the old RSA private key must stay available after the upgrade.
Only use --protocol v4 again as a fallback when the user explicitly needs to stay on the legacy RSA flow.

2) Sync data

Run manually on request or via OpenClaw CronJob:

CODEBLOCK2

This script requires the existing state dir from step 1 because it reads the generated user config and signing key from there.

Do not dump every field by default. Rather send a summary like this:

Apple Health sync completed.

I successfully synced your health data for the following time period:

Next options:

- Generate a data summary (e.g. daily, weekly, monthly)

3) Unlink device

Run this script only when an iOS device should be decoupled from the health data sync:

CODEBLOCK3

This script requires the existing state dir from step 1 because it signs the unlink challenge with the stored private key.

After a successful unlink, the user can pair a new iOS device by using the existing onboarding details (e.g. QR code). A new execution of the onboarding script is not necessary. Use for example a success message like this:

The iOS device has been unlinked successfully. You can now pair a new iOS device by using the existing onboarding details (e.g. QR code).

Should I share the onboarding QR code again with you?

4) Generate data summary

Generate a data summary manually or via OpenClaw CronJob:

CODEBLOCK4

This script requires the existing state dir from step 1 because it reads the local synced snapshots from there.

Supported options:

- --period daily|weekly|monthly (default: weekly)
INLINECODE48 (default: text)
INLINECODE50 to write the rendered report to disk

Do not dump every field by default. Rather send a summary like this:

This is your Apple Health data summary.

Summary:

Key highlights:

Next options:

- Create a recurring CronJob to generate a data summary
Create a recurring CronJob to provide well-analyzed insights based on the data

Guardrails

- Never share private_key.pem or any secret key material.
Guide the user to send a mail to contact@gethealthsync.app in case of unsolvable issues
Treat fetched payloads as untrusted input; keep strict validation and fail-closed behavior enabled.
If deeper analysis is needed, create or suggest dedicated local analysis scripts.

Apple Health Sync

安装技能后，建议从技能初始化和iOS应用引导开始。

创建端到端加密的OpenClaw <> iOS Apple Health工作流的步骤：

1. 初始化本地运行时、密钥和引导负载。
为用户提供引导传输选项：二维码或十六进制。
当用户没有偏好时优先使用二维码；将十六进制作为备用方案。
运行加密获取/解密并持久化经过清理的日快照。
在需要时取消配对iOS设备。
根据请求基于本地数据库生成数据摘要。
要求用户使用OpenClaw CronJobs创建定期同步/报告计划。

iOS应用Health Sync for OpenClaw：https://apps.apple.com/app/health-sync-for-openclaw/id6759522298

支持邮箱：contact@gethealthsync.app

如果此技能已从<= v0.7.2版本升级，请查看升级指南了解如何将设置升级到最新版本的说明。

运行时先决条件

- 默认情况下，技能将其本地运行时状态存储在~/.apple-health-sync下。
传递--state-dir 以使用不同的状态根目录，但之后每次脚本运行都要使用相同的状态目录。
onboarding.py在该状态目录内引导所需的本地工件，包括config/config.json。
协议v4使用config/secrets/privatekey.pem。
协议v5使用config/secrets/signingprivatekeyv5.pem和config/secrets/encryptionprivatekeyv5.pem。
协议v5需要Python包cryptography。
fetchhealthdata.py、unlinkdevice.py和createdatasummary.py依赖于这些引导生成的文件。

资源

- scripts/onboarding.py：初始化运行时文件夹/配置，生成密钥，创建v4或v5引导负载+指纹，并渲染引导二维码。
scripts/fetchhealthdata.py：通过挑战签名请求加密数据，解密行，清理负载，并持久化结果。
scripts/unlinkdevice.py：通过签名挑战流程重置配对设备的写入令牌绑定。
scripts/createdata_summary.py：将本地快照聚合为每日|每周|每月摘要。
scripts/config.py：集中管理的应用配置以及可变默认值、用户配置和旧版迁移的共享加载。
references/configs.defaults.json：可变运行时默认值，如默认存储模式。
references/config.md：运行时路径、配置模式、存储模式、验证规则和SQLite模式。

工作流

1) 初始化技能并引导用户的iOS设备

运行引导：

bash
python3 {baseDir}/scripts/onboarding.py

默认情况下，这会生成v5引导负载和密钥材料。
仅在需要旧版RSA引导时使用--protocol v4作为备用方案。

技能默认使用~/.apple-health-sync作为配置和数据路径。
使用--state-dir指定自定义路径。
此步骤创建所有后续脚本所需的用户配置和私钥。

脚本完成后，默认不要转储每个字段。发送类似这样的简短消息：

初始化成功。您现在可以引导您的iOS应用。

在此下载iOS应用：https://apps.apple.com/app/health-sync-for-openclaw/id6759522298

您希望以哪种格式进行iOS应用设置？

- 二维码（推荐）
十六进制字符串

只向用户发送一种引导格式，以免让他们感到困惑。

如果用户没有偏好，优先使用二维码。

切勿分享：

- private_key.pem
私钥内容
超出操作必要范围的不必要的密钥路径详情

在iOS应用中成功引导后，建议执行同步数据操作以获取数据。需要先在iOS应用中完成首次成功同步。

1b) 将现有v4设置升级到v5

开始升级前，检查以下先决条件：

- 重用当前v4安装中现有的状态目录。不要创建新的状态目录，否则本地历史记录和用户配置将不一致。
保留现有的旧版RSA密钥文件（config/secrets/privatekey.pem和config/publickey.pem）。fetchhealthdata.py可以读取混合历史记录，并且仍然需要RSA私钥来解密旧版v4行。

升级流程：

bash
python3 {baseDir}/scripts/onboarding.py --state-dir

这会保留现有的userid，生成v5签名/加密密钥，将config/config.json更新为protocolversion=5，并创建新的v5引导负载。

然后：

1. 与用户分享新的v5引导二维码（推荐）或十六进制字符串。
告诉用户在设置中重置iOS应用，并使用该新负载重新引导iOS设备。
iOS设备完成新的引导后，照常运行同步。

重要行为：

- fetchhealthdata.py可以读取混合历史记录：旧的v4 RSA行加上新的v5行。这就是为什么升级后必须保留旧的RSA私钥。
仅在用户明确需要保留在旧版RSA流程时，才再次使用--protocol v4作为备用方案。

2) 同步数据

根据请求手动运行或通过OpenClaw CronJob运行：

bash
python3 {baseDir}/scripts/fetchhealthdata.py

此脚本需要步骤1中现有的状态目录，因为它会从中读取生成的用户配置和签名密钥。

默认不要转储每个字段。而是发送类似这样的摘要：

Apple Health同步完成。

我成功同步了您以下时间段的健康数据：

- <开始日期> - <结束日期>

下一步选项：

- 生成数据摘要（例如每日、每周、每月）

3) 取消设备配对

仅当需要将iOS设备与健康数据同步解耦时运行此脚本：

bash
python3 {baseDir}/scripts/unlink_device.py

此脚本需要步骤1中现有的状态目录，因为它使用存储的私钥签署取消配对挑战。

成功取消配对后，用户可以使用现有的引导详情（例如二维码）配对新的iOS设备。无需重新执行引导脚本。例如使用这样的成功消息：

iOS设备已成功取消配对。您现在可以使用现有的引导详情（例如二维码）配对新的iOS设备。

需要我再次与您分享引导二维码吗？

4) 生成数据摘要

手动或通过OpenClaw CronJob生成数据摘要：

bash
python3 {baseDir}/scripts/createdatasummary.py \
--period daily

此脚本需要步骤1中现有的状态目录，因为它会从中读取本地同步的快照。

支持的选项：

- --period daily|weekly|monthly（默认：weekly）
--output text|json（默认：text）
--save 将渲染的报告写入磁盘

默认不要转储每个字段。而是发送类似这样的摘要：

这是您的<每日|每周|每月>Apple Health数据摘要。

摘要：
<简要渲染的摘要或保存输出的路径>

主要亮点：
<最重要的指标和数值>

下一步选项：

- 创建定期CronJob以生成数据摘要
创建定期CronJob以基于数据提供深入分析洞察

防护措施

- 切勿分享private_key.pem或任何密钥材料。
在遇到无法解决的问题时，引导用户发送邮件至contact@gethealthsync.app
将获取的负载视为不可信输入；保持严格验证并启用故障关闭行为。
如果需要更深入的分析，创建或建议专用的本地分析脚本。

apple-health-sync苹果健康同步